In CF5, there is the undocumented CFUSION_ENCRYPT / CFUSION_DECRYPT
functions you can use to encrypt the passwords, and be able to decrypt them
if needed (for a "mail me my password" type routine).
However, a one way hash is more secure. Also, you'd be better to hash the
entered password and compare it to the database, rather than asking for the
password from the database then comparing it - the later method envolves
moving your password around, which could be deemed less secure.
For example:
<cfset HashedPwd = hash(Form.Password, key)>
<cfquery name="CheckUser"...>
Select *
From table
Where username = '#Form.Username#'
AND password = '#HashedPwd'
</cfquery>
My thoughts.....
Shawn
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Monday, February 24, 2003 4:29 PM
To: CF-Talk
Subject: Re: Password fields in MS SQL Server 2000
No. But you could store the passwords as an md5 hash, using CF's md5
function. Of course, this is a one way hash, so you couldn't tell users
their passwords if they forgot it.
----- Original Message -----
From: "Tilbrook, Peter" <[EMAIL PROTECTED]>
Date: Monday, February 24, 2003 4:17 pm
Subject: Password fields in MS SQL Server 2000
> Hi there,
>
> Just wondering if there is a setting in SQL Server to hide
> password fields
> like in MS Access.
>
> At the moment the fields are just nvarchar which sort of defeats
> the purpose
> of having a password field in the database (even using SSL for
> logging in).
>
> Thanks!
>
> ==
> Peter Tilbrook
> Internet Applications Developer
> Australian Building Codes Board
> GPO Box 9839
> CANBERRA ACT 2601
> AUSTRALIA
>
> WWW: http://www.abcb.gov.au/
> E-Mail: [EMAIL PROTECTED]
> Telephone: +61 (02) 6213 6731
> Mobile: 0439 401 823
> Facsimile: +61 (02) 6213 7287
>
>
> **********************************************************************
> The information contained in this e-mail, and any attachments to
> it, is
> intended for the use of addressee and is confidential. If you are
> not
> the intended recipient, you must not use, disclose, read, forward,
> copy or
> retain any of the information. If you have received this e-mail
> in
> error, please delete it and notify the sender by return e-mail or
> telephone.
> The Commonwealth does not warrant that any attachments are free
> from
> viruses or any other defects. You assume all liability for any
> loss, damage, or
> other consequences which may arise from opening or using the
> attachments.
> **********************************************************************
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4
Subscription:
http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
Unsubscribe:
http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
